All,
I am starting work on ModSecurity 3. This version is concentrated on
isolating a ModSecurity core library from the web server component so
that we can port to other web platforms (notably Apache 1.3 and perhaps
even IIS).
With this change, I am refactoring the build. I will be making full use
of the autotools for UNIX like OSes, which seems to be working well. In
addition to this, I would like to better support building packages for
various distributions (RPMs, DEBs, etc). However, I am still undecided
(and a bit inexperienced) with how to deal with Windows builds. I would
appreciate any help, comments, suggestions and other insight into making
it easier to build distribution packages, especially for Windows.
The current layout is looking something like this (but may change). It
would be ideal to be able to build everything under *nix and Windows.
src/ # Main source tree
msc/ # ModSecurity core
native/ # Native module/plugin tree
apache1/ # Apache 1.3 module
apache2/ # Apache 2.x module
include/ # Global include files
doc/ # Documentation (docbook refman and doxygen)
rules/ # Core rules
conf/ # Example configuration files
tools/ # Tools source tree
mlogc/ # ModSecurity Log Collector source
t/ # Test tree
build/ # Misc build scripts/macros/etc.
Again, any comments from you that would make ModSecurity easier to
package would be greatly appreciated.
thanks,
-B
--
Brian Rectanus
Breach Security

ModSecurity 2.5.7 contains quite a few fixes for some not-so-common
issues. No changes (other than version change) were made since
2.5.7-rc1. If you are seeing any of the following issues, then please
upgrade to 2.5.7.
1) Cannot turn off the request body limit check. This release allows
you to use ctl:requestBodyAccess=off and/or ctl:ruleEngine=off in
phase:1 so that you can selectively bypass this check.
2) Some XML issues were difficult (impossible?) to diagnose as the
underlying XML error/warning was not logged. All XML processing errors
and warnings are now logged to the debug log (if level is high enough).
3) XML DTD/Schema validation still succeeded when the XML was not well
formed, but could still be parsed. This is corrected and the validation
will fail on any request parsing errors.
4) The hostname logged in the error log is the canonical name, not the
request supplied name. This makes sure that there is always a hostname
in the log entry.
5) The REQUEST_BODY variable was not available unless you forced the use
of URLENCODED processor. This would cause parsing to fail if it was not
a url encoded POST. You can now use ctl:forceRequestBodyVariable=on to
force populating the REQUEST_BODY variable without setting the processor
and thus avoiding the parsing errors.
6) Certain "legacy" protocols have been ported to be tunneled in HTTP
request. Some of these requests use the 8th bit of each byte as a
parity bit. This can cause problems when trying to perform matches on
the data. It is now possible to transform (t:parityEven7bit,
t:parityOdd7bit) or remove (t:parityZero7bit) the parity.
Packages can be downloaded from modsecurity.org as always.
The complete change log is below...
24 Sep 2008 - 2.5.7
-------------------
* Fixed XML DTD/Schema validation which will now fail after request body
processing errors, even if the XML parser returns a document tree.
* Added ctl:forceRequestBodyVariable=on|off which, when enabled, will
force the REQUEST_BODY variable to be set when a request body processor
is not set. Previously the REQUEST_BODY target was only populated by the
URLENCODED request body processor.
* Integrated mlogc source.
* Fixed logging the hostname in the error_log which was logging the
request hostname instead of the Apache resolved hostname.
* Allow for disabling request body limit checks in phase:1.
* Added transformations for processing parity for legacy protocols
ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
* Added t:cssDecode transformation to decode CSS escapes.
* Now log XML parsing/validation warnings and errors to be in the debug
log at levels 3 and 4, respectivly.
thanks,
-B
--
Brian Rectanus
Breach Security

ModSecurity 2.5.7 will contain quite a few fixes for some not-so-common
issues. The first release candidate for 2.5.7 is available so that
those that are seeing these issues can first verify that they are indeed
fixed prior to an official 2.5.7 release.
To help use in the future, it would be nice to know if these release
candidates are useful. Please send me a note (privately) with a comment
on how useful you think the release candidates are and how (and if) you
are using them.
If you are seeing any of the following issues (even if you previously
tested a patch), then please verify that 2.5.7-rc1 does indeed correct
the issue:
1) Cannot turn off the request body limit check. This release allows
you to use ctl:requestBodyAccess=off and/or ctl:ruleEngine=off in
phase:1 so that you can selectively bypass this check.
2) Some XML issues were difficult (impossible?) to diagnose as the
underlying XML error/warning was not logged. All XML processing errors
and warnings are now logged to the debug log (if level is high enough).
3) XML DTD/Schema validation still succeeded when the XML was not well
formed, but could still be parsed. This is corrected and the validation
will fail on any request parsing errors.
4) The hostname logged in the error log is the canonical name, not the
request supplied name. This makes sure that there is always a hostname
in the log entry.
5) The REQUEST_BODY variable was not available unless you forced the use
of URLENCODED processor. This would cause parsing to fail if it was not
a url encoded POST. You can now use ctl:forceRequestBodyVariable=on to
force populating the REQUEST_BODY variable without setting the processor
and thus avoiding the parsing errors.
6) Certain "legacy" protocols have been ported to be tunneled in HTTP
request. Some of these requests use the 8th bit of each byte as a
parity bit. This can cause problems when trying to perform matches on
the data. It is now possible to transform (t:parityEven7bit,
t:parityOdd7bit) or remove (t:parityZero7bit) the parity.
Packages can be downloaded from modsecurity.org as always.
The complete change log is below...
17 Sep 2008 - 2.5.7-rc1
-----------------------
* Fixed XML DTD/Schema validation which will now fail after request body
processing errors, even if the XML parser returns a document tree.
* Added ctl:forceRequestBodyVariable=on|off which, when enabled, will
force the REQUEST_BODY variable to be set when a request body processor
is not set. Previously the REQUEST_BODY target was only populated by the
URLENCODED request body processor.
* Integrated mlogc source.
* Fixed logging the hostname in the error_log which was logging the
request hostname instead of the Apache resolved hostname.
* Allow for disabling request body limit checks in phase:1.
* Added transformations for processing parity for legacy protocols
ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
* Added t:cssDecode transformation to decode CSS escapes.
* Now log XML parsing/validation warnings and errors to be in the debug
log at levels 3 and 4, respectivly.
thanks,
-B
--
Brian Rectanus
Breach Security